Features
Pricing Technology Roadmap Docs
Get Started
English Deutsch Français Italiano العربية

Privacy Policy

Last updated: March 2026

1. Introduction

Maravilla Labs ("we", "us", "our"), based in Basel, Switzerland, operates the Maravilla Cloud platform at www.maravilla.cloud. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG) and the European General Data Protection Regulation (GDPR).

2. Data We Collect

We collect only the data necessary to provide our services:

  • Email address — for account registration, authentication, and transactional notifications.
  • Handle (username) — your chosen public identifier on the platform.
  • Password hash — a securely hashed representation of your password (we never store plaintext passwords).
  • Timestamps — account creation, last login, and activity timestamps.
  • Integration OAuth tokens — if you connect third-party services, we store the encrypted access tokens necessary for the integration.

3. How We Use Your Data

  • Authentication & access control — to verify your identity and manage permissions.
  • Service delivery — to provide, maintain, and improve the platform.
  • Transactional communication — to send account-related emails such as verification, password reset, and invitation notifications.
  • Security & abuse prevention — to detect and prevent unauthorized access and platform abuse.

We do not use your data for advertising, profiling, or any purpose unrelated to the delivery of our services.

4. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide the services you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR) — security monitoring, fraud prevention, and platform improvement.
  • Consent (Art. 6(1)(a) GDPR) — where explicitly provided, such as for optional integrations.

5. Data Retention

We retain data only for as long as necessary:

  • Audit logs — 365 days
  • Usage snapshots — 90 days
  • Password reset tokens — 24 hours
  • Invitation tokens — 2 days
  • Account data — retained for the duration of your account and deleted upon account termination, subject to any legal retention obligations.

6. Third Parties

We minimize third-party data sharing. The external services that may process personal data are:

  • Mailgun (EU region) — for sending transactional emails (verification, password reset, invitations). Mailgun processes your email address solely to deliver these messages. Data is processed within the European Union.
  • Google Analytics (Google Ireland Ltd.) — only on the public marketing site at www.maravilla.cloud, and only after you have given consent via our cookie banner. We use Google Analytics 4 with IP anonymization enabled to understand aggregate traffic patterns and improve our site. No analytics data is collected if you decline. The Google Analytics service may transfer data to Google LLC (USA) under the EU–US Data Privacy Framework.

We do not use advertising networks or behavioral profiling services.

Maravilla Labs also operates the signup-form tool at tools.4myhoneybee.com. Forms hosted there which are operated by us are covered by this Privacy Policy as a single-controller arrangement (same legal entity, same purpose: visitor analytics on properties we own). Forms hosted on the same domain by other parties are subject to their own privacy policies, displayed on the form itself.

7. Cookies and Local Storage

The following items are strictly necessary and do not require consent under ePrivacy Article 5(3):

  • Authentication cookie — a secure, httpOnly cookie containing a JWT token for session management on the platform. Cannot be read by JavaScript; HTTPS only.
  • mv_country cookie — on the marketing site only. Contains the visitor's country code (ISO 3166-1 alpha-2, e.g. "DE") derived from the IP address by our edge proxy. Used solely to determine whether the consent banner must be shown. Lifetime: 24 hours. Anonymous, no profiling, never shared.
  • mv_consent in browser local storage — on the marketing site only. Stores your consent decision (accepted / rejected / not-applicable) so we don't ask again. Lifetime: 12 months. Stored only in your browser, never transmitted to us.

The following are optional and only set after you accept via the consent banner:

  • Google Analytics cookies (_ga, _ga_*) — first-party cookies set by the Google Analytics script, used to distinguish unique visitors and sessions. Lifetime: up to 2 years. Set by Google's script only after consent.

You can change or withdraw your analytics consent at any time via the “Cookie settings” link in the footer.

Where you have given consent on this website, that consent also covers other websites we operate for the same purpose (visitor analytics), so you are not asked again on each property. This applies only to sites we operate ourselves and is described in Section 6.

8. Your Rights

Under the GDPR and Swiss data protection law, you have the following rights:

  • Right of access (Art. 15 GDPR) — obtain a copy of your personal data.
  • Right to rectification (Art. 16 GDPR) — correct inaccurate personal data.
  • Right to erasure (Art. 17 GDPR) — request deletion of your personal data.
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interest.
  • Right to lodge a complaint — you may file a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU supervisory authority.

To exercise any of these rights, contact us at the address below.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
  • Authentication tokens are stored in secure, httpOnly cookies transmitted exclusively over HTTPS.
  • Sensitive secrets and API keys are encrypted at rest using AES-256-GCM.
  • All data is stored on infrastructure operated within Europe.

10. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Maravilla Labs
Basel, Switzerland
Email: privacy@maravilla.cloud